Remix.run Logo
tzs a day ago

I took a quick look at the Texas law. Like a few other such laws it allows sites to use an external service to do the check, as long as the service uses a "commercially reasonable" method of doing that. That basically means it has to be based on government ID or by inference based on certain types of transaction records they can get access to (e.g., if you have a mortgage they can reasonably infer you are an adult).

As far as I can tell it would be possible to build an age verification service based on an open source ZKP implementation such as Google's Longfellow [1] that would be acceptable to these laws, but would allow anonymous age verification. It would be similar to the system the EU is now trialing, except not limited to iOS and to Android devices with Google Play. Longfellow should be able to work with those but also most modern smart phones running any OS the supports the phone's secure element, and also desktop computers that have secure elements, and devices like YubiKeys.

You would have to verify your age with the age verification service to set things. The easiest way to make it so that is not a privacy risk is for the age verification service to be offered by some entity that already has your ID documents. In the EU that would be the governments themselves, but I don't think any US state governments are ready to do that.

The age verification service doesn't necessarily need to store copies of whatever ID you present. It just needs to know you are when it issues its ID documents that get bound to your device's secure element. If this service was offered by some entity that has a widespread physical presence (a bank would be perfect) you could go in, show ID in person, and get your device enrolled.

Even better would be for a trusted non-profit to run this, like the EFF or the ACLU. Yes, I know they don't want age verification to happen at all, but they are going to lose that one, and it would be prudent to try to make it so that people have a privacy preserving way to do it that can be used anonymously when that happens.

Anyway, once your device is set up verifying your age to a website would involve a protocol between your device in the website the uses a ZKP (Zero Knowledge Proof) to demonstrate to the website that the identify information the age verification service bound to the secure element on the your devices says your age is acceptable. The ZKP doesn't disclose anything else from your identidy information. (The web server sees your IP address of course, but they would see that without age verification too). Note that the age verification service has no idea when, or were, you age verify at a website.

[1] https://github.com/google/longfellow-zk

walrus01 a day ago | parent | next [-]

> Even better would be for a trusted non-profit to run this, like the EFF or the ACLU.

You're seriously proposing that organizations along the same general lines as the EFF or ACLU would be okay with being the implementing partner of a "papers, please" identify verification regime? I highly doubt their leadership would entertain the idea for even the briefest moment.

tzs a day ago | parent [-]

I'm proposing that organizations like that recognize that age verification is going to happen, and try to ensure that when that happens there will be at lease some age verification services that do it in a way that doesn't subject you to a "papers, please" situation every time you go to a website that has to check age.

It can be done with either 0 or 1 "papers, please" events per device rather than 1 per website or worse 1 per website visit, and without preventing anonymous access, but most of the laws do not require that it be done that. Most age verification services will do the minimum required, which usually will mean they are more intrusive and more leaky.

The best way they could ensure that, if they can't convince governments to write the age verification laws to require it, would be to operate such a service themselves.

squigz a day ago | parent [-]

I hate how quickly some people have just accepted age verification is inevitable.

tzs 10 hours ago | parent | next [-]

Look at all the countries with it already or that are in the midst of implementing it [1]. It won't stop there.

Even if the tide turns it is going to be pretty widespread before it ebbs. Why not work to make sure before that happens it is done in a way that protects privacy?

[1] https://en.wikipedia.org/wiki/Online_age_verification_laws_b...

inigyou 19 hours ago | parent | prev [-]

You got an alternative proposal? You could run you and 537 of your best friends for Congress and make it illegal

squigz 19 hours ago | parent [-]

I'm not American. Nor is Motherless. And yet...

inigyou 19 hours ago | parent [-]

.com is American.

walrus01 18 hours ago | parent [-]

But should it be? Verisign having control over it is a weird historical artifact of the early days of the internet.

inigyou 18 hours ago | parent [-]

all non-two-letter TLDs are American. I think we should ban them all and put them under .us, but it will never happen. You can't get there from here. Path dependence.

Also ICANN should have gotten the corporate death penalty when it announced gTLDs.

dlenski a day ago | parent | prev [-]

Even ignoring the political aspects, like the fact that EFF/ACLU don't want to be in this business (as you note)…

This system will likely fail in the same way that almost every new DRM system has failed: someone will implement the "secure element" badly and its keys or secrets will get exfiltrated and cloned.

It's one thing to keep a cryptosystem secure when its users appreciate that system (e.g. hard disk encryption or TOTP 2FA)… but it's very hard to keep cryptosystems secure when millions or billions of people are unwilling and resentful users having those systems imposed on them.